#!/bin/sh

#theme
uci set luci.main.mediaurlbase='/luci-static/argon'
uci commit luci

#timezone
uci set system.@system[0].timezone=CST-8
uci set system.@system[0].zonename=Asia/Shanghai
uci commit system

#filebrowser
uci set filebrowser.@global[0].executable_directory='/opt/sbin'
uci commit filebrowser

#ntp server
uci del system.ntp.enabled
uci del system.ntp.enable_server
uci set system.@system[0].log_proto='udp'
uci set system.@system[0].conloglevel='8'
uci set system.@system[0].cronloglevel='5'
uci del system.ntp.server
uci add_list system.ntp.server='ntp1.aliyun.com'
uci add_list system.ntp.server='ntp2.aliyun.com'
uci add_list system.ntp.server='ntp3.aliyun.com'
uci add_list system.ntp.server='ntp4.aliyun.com'
uci commit system

#feed
sed -i 's,21.02,21.02-SNAPSHOT,g' /etc/opkg/distfeeds.conf
sed -i 's,downloads.openwrt.org,mirror.sjtu.edu.cn/openwrt,g' /etc/opkg/distfeeds.conf

#nginx
uci set nginx.global.uci_enable='false'
uci commit nginx

rm /etc/nginx/uci.conf
cat >/etc/nginx/nginx.conf <<"EOF"
# This file is re-created when Nginx starts.
# Consider using UCI or creating files in /etc/nginx/conf.d/ for configuration.
# Parsing UCI configuration is skipped if uci set nginx.global.uci_enable=false
# For details see: https://openwrt.org/docs/guide-user/services/webserver/nginx

worker_processes auto;

user root;

error_log /dev/null;

events {
  worker_connections 1024;
}

http {
    access_log off;
    server_names_hash_bucket_size 64;
    #log_format openwrt
    #    '$request_method $scheme://$host$request_uri => $status'
    #    '(${body_bytes_sent}B in ${request_time}s) <- $http_referer';

    include mime.types;
    default_type application/octet-stream;
    sendfile on;

    client_max_body_size 1024M;
    large_client_header_buffers 2 1k;
    keepalive_timeout 600s;

    gzip on;
    gzip_comp_level 6;
    gzip_min_length 1k;
    gzip_types text/plain text/css text/xml text/javascript text/x-component application/json application/javascript application/x-javascript application/xml application/xhtml+xml application/rss+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject image/svg+xml image/x-icon font/opentype;
    brotli on;
    brotli_types text/plain text/css text/xml text/javascript text/x-component application/json application/javascript application/x-javascript application/xml application/xhtml+xml application/rss+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject image/svg+xml image/x-icon font/opentype;
    brotli_static on;
    brotli_comp_level 6;
    brotli_buffers 16 10k;
    brotli_window 512k;
    brotli_min_length 20;

    root /www;

    server {
      listen 80 default_server;
      listen [::]:80 default_server;
      server_name _lan;
      include restrict_locally;
      include conf.d/*.locations;
      access_log off; # logd openwrt;
    }

    include conf.d/*.conf;
}
EOF

cat >/etc/nginx/conf.d/luci.locations <<"EOF"
location /cgi-bin/luci {
		index  index.html;
		include uwsgi_params;
		uwsgi_param SERVER_ADDR $server_addr;
		uwsgi_modifier1 9;
		uwsgi_send_timeout 600;
		uwsgi_connect_timeout 600;
		uwsgi_read_timeout 600;
		uwsgi_pass unix:////var/run/luci-webui.socket;
}
location ~ /cgi-bin/cgi-(backup|download|upload|exec) {
		include uwsgi_params;
		uwsgi_param SERVER_ADDR $server_addr;
		uwsgi_modifier1 9;
		uwsgi_send_timeout 600;
		uwsgi_connect_timeout 600;
		uwsgi_read_timeout 600;
		uwsgi_pass unix:////var/run/luci-cgi_io.socket;
}

location /luci-static {
		error_log stderr crit;
}
EOF

# Nginx - 允许公网IP访问
sed -i "s/deny all/#deny all/g" /etc/nginx/restrict_locally

/etc/init.d/nginx restart
/etc/init.d/nginx enabled
#nginx end

#firewall
#uci set firewall.@defaults[0].fullcone='1'
#uci set firewall.@defaults[0].flow_offloading='1'
#uci commit firewall

#upnp
uci set upnpd.config.igdv1='1'
uci set upnpd.config.enabled='1'
uci del upnpd.config.enable_upnp
uci del upnpd.config.enable_natpmp
uci set upnpd.config.external_iface='wan'
uci commit upnpd

#openclash
echo "/etc/openclash/" >> /etc/sysupgrade.conf && cat /etc/sysupgrade.conf | sort | uniq > /tmp/tmp_sysupgrade_conf && cat /tmp/tmp_sysupgrade_conf > /etc/sysupgrade.conf

#dnsmasq
uci set dhcp.lan.ra='hybrid'
uci set dhcp.lan.ndp='hybrid'
uci set dhcp.lan.dhcpv6='hybrid'
uci set dhcp.lan.ra_management='1'
uci del dhcp.@dnsmasq[0].rebind_protection='1'
uci commit dhcp
sed -i '/log-facility/d' /etc/dnsmasq.conf
echo "log-facility=/dev/null" >> /etc/dnsmasq.conf

#packet_steering
uci set network.globals.packet_steering='1'
uci commit network
/etc/init.d/network restart

#SSRP
uci set shadowsocksr.@global[0].gfwlist_url='https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/gfw.txt'
uci set shadowsocksr.@global[0].chnroute_url='https://cdn.jsdelivr.net/gh/QiuSimons/Chnroute@master/dist/chnroute/chnroute.txt'
uci commit shadowsocksr

#link
ln -sf /sbin/ip /usr/bin/ip
ln -sf /usr/bin/wget /usr/bin/wget-ssl

#Flag packages
opkg flag hold luci-app-firewall
opkg flag hold firewall
opkg flag hold dnsmasq-full

#luci cache
rm -rf /tmp/luci-modulecache
rm -f /tmp/luci-indexcache

exit 0
